Prototype Pollution Vulnerability in RobinHerbots Inputmask Library
CVE-2026-16150

5.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2026-16150?

A vulnerability has been identified in the RobinHerbots Inputmask library versions up to 5.0.9, specifically in the method extendDefaults/extendDefinitions/extendAliases located in lib/dependencyLibs/extend.js. This vulnerability allows attackers to manipulate object prototype attributes improperly. The exploitation can be executed remotely, posing a significant security risk. Although the project was notified about this issue through an early report, no response has been received so far.

Affected Version(s)

Inputmask 5.0.0

Inputmask 5.0.1

Inputmask 5.0.2

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

wjm1 (VulDB User)
VulDB CNA Team
.